I have been asked this question a couple times now and wanted some feedback on what others thought.

Let's say you have a web application that you want your customers to be able access via their mobile device. More specifically from their smart phones.

What are some of the security considerations to keep in mind? I am especially interested in the communication from say the mobile device to the tower. What risks are present at this point?

Can you sniff 3G traffic and steal session data etc? I would imagine that this would be possible if the device connects to the web site using an open wi-fi connection yes? But what about 3G/EDGE etc. I know that intercepting voice on an edge network is possible with little effort.(Chris Paget @defcon).What about data?

Isn't a mobile device just another end point and so the same risks that would be present in a pc environment would more or less also be present in the mobile environment(sniffing/MITM/Authentication/Input validation etc).

Last edited by Dark_Knight on Wed Sep 22, 2010 7:07 pm, edited 1 time in total.

IMHO more than the risk of someone sniffing 3G (and i have no idea how practical this is), the greater risk is a customer using public WiFi to talk to your website. That would let an attacker on the same access point to launch practical attacks (man in middle via arp spoofing etc) so I would always assume that the client data to a website can be intercepted and then do the design based on this assumption (eg SSL, application level encryption etc)Another point: sometimes a dangerous assumption is that because it is a mobile application, it will only be accessed via mobile devices. For example: I have encountered cases in which the developers assumed that they are restricting access to mobile browsers by checking the User Agent field in the HTTP request and checking that against a whitelist of mobile browser Use Agents. Based on this false assumption, the website then had other bad practises like having hidden fields to control business logic because 'who would be able to see hidden fields from a mobile device'!